How to define Caddyfile to test reverse proxy using nip.io?

1. The problem I’m having:

I’m trying to test Caddy using wildcard dns service (e.g. nip.io), but unable to replicate the default caddy webpage in doing so. More specifically, navigating to 192.168.20.11.nip.io:4080 does not successfully result in the default caddy success webpage. The error I get in browser is ERR_SSL_PROTOCOL_ERROR.

My goal (for now) is to be able to navigate to homebox.192.168.20.11.nip.io:4080 and successfully have it reverse proxy.

2. Error messages and/or full log output:

Feb 28 16:05:59 revprox systemd[1]: Reloaded Caddy.
Feb 28 16:06:00 revprox caddy[2948]: {"level":"info","ts":1709136360.593289,"logger":"tls.obtain","msg":"lock acquired","identifier":"homebox.192.168.20.11"}
Feb 28 16:06:00 revprox caddy[2948]: {"level":"info","ts":1709136360.5938187,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"homebox.192.168.20.11"}
Feb 28 16:06:00 revprox caddy[2948]: {"level":"debug","ts":1709136360.5939467,"logger":"events","msg":"event","name":"cert_obtaining","id":"9777d2e6-e8ee-4538-8072-1ea05c4ffc96","origin":"tls","data":{"identifier":"homebox.192.168.20.11"}}
Feb 28 16:06:00 revprox caddy[2948]: {"level":"debug","ts":1709136360.5942268,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
Feb 28 16:06:00 revprox caddy[2948]: {"level":"info","ts":1709136360.5944674,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["homebox.192.168.20.11"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"caddy@zerossl.com"}
Feb 28 16:06:00 revprox caddy[2948]: {"level":"info","ts":1709136360.5945668,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["homebox.192.168.20.11"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"caddy@zerossl.com"}
Feb 28 16:06:01 revprox caddy[2948]: {"level":"debug","ts":1709136361.3678856,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Wed, 28 Feb 2024 16:06:01 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["3iiYN4u48S-4RtWY1tGUaOgSN-P1pFbtDOm8N5KnWJ08yGNe2GU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Feb 28 16:06:01 revprox caddy[2948]: {"level":"debug","ts":1709136361.8744447,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1593315107"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["223"],"Content-Type":["application/problem+json"],"Date":["Wed, 28 Feb 2024 16:06:01 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["3iiYN4u40QNOJw3lHmHjyWBCIieuTbFY1gFM2BwGkL6bm-30k-o"],"Server":["nginx"]},"status_code":400}
Feb 28 16:06:01 revprox caddy[2948]: {"level":"error","ts":1709136361.8750403,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"homebox.192.168.20.11","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Error creating new order :: Cannot issue for \"homebox.192.168.20.11\": Domain name does not end with a valid public suffix (TLD)"}
Feb 28 16:06:01 revprox caddy[2948]: {"level":"debug","ts":1709136361.875277,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}
Feb 28 16:06:01 revprox caddy[2948]: {"level":"info","ts":1709136361.8755693,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["homebox.192.168.20.11"],"ca":"https://acme.zerossl.com/v2/DV90","account":"caddy@zerossl.com"}
Feb 28 16:06:01 revprox caddy[2948]: {"level":"info","ts":1709136361.8756762,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["homebox.192.168.20.11"],"ca":"https://acme.zerossl.com/v2/DV90","account":"caddy@zerossl.com"}
Feb 28 16:06:11 revprox caddy[2948]: {"level":"debug","ts":1709136371.3485246,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Wed, 28 Feb 2024 16:06:11 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["ZZea9VA8LvC7I3-YNl198da599ntXKGSsNJuTCO-qD8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
Feb 28 16:06:14 revprox caddy[2948]: {"level":"debug","ts":1709136374.0040543,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["127"],"Content-Type":["application/problem+json"],"Date":["Wed, 28 Feb 2024 16:06:13 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["bvEvHmg5GCBwXD3mV6grafIMqqkPpZyYVb5fiqMa8WA"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":400}
Feb 28 16:06:14 revprox caddy[2948]: {"level":"error","ts":1709136374.0046709,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"homebox.192.168.20.11","issuer":"acme.zerossl.com-v2-DV90","error":"HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [homebox.192.168.20.11]"}
Feb 28 16:06:14 revprox caddy[2948]: {"level":"debug","ts":1709136374.0048182,"logger":"events","msg":"event","name":"cert_failed","id":"6d92ea1d-0ca4-44c7-bb8c-f90adc2fa2e7","origin":"tls","data":{"error":{},"identifier":"homebox.192.168.20.11","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}}
Feb 28 16:06:14 revprox caddy[2948]: {"level":"error","ts":1709136374.0049512,"logger":"tls.obtain","msg":"will retry","error":"[homebox.192.168.20.11] Obtain: [homebox.192.168.20.11] creating new order: attempt 1: https://acme.zerossl.com/v2/DV90/newOrder: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [homebox.192.168.20.11] (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":13.411232436,"max_duration":2592000}
Feb 28 16:07:14 revprox caddy[2948]: {"level":"info","ts":1709136434.0058184,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"homebox.192.168.20.11"}
Feb 28 16:07:14 revprox caddy[2948]: {"level":"debug","ts":1709136434.0063603,"logger":"events","msg":"event","name":"cert_obtaining","id":"b2b75481-a897-4e0b-aaf4-2e8a7bc8c1ad","origin":"tls","data":{"identifier":"homebox.192.168.20.11"}}
Feb 28 16:07:14 revprox caddy[2948]: {"level":"debug","ts":1709136434.006529,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
Feb 28 16:07:14 revprox caddy[2948]: {"level":"debug","ts":1709136434.7307415,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Wed, 28 Feb 2024 16:07:14 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0ilprt0g3LRq3Yxgja0kxg9Xion_ZvZ8X2mPxse3ZjXUBhvi9dA"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Feb 28 16:07:14 revprox caddy[2948]: {"level":"debug","ts":1709136434.9770396,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["138264243"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["223"],"Content-Type":["application/problem+json"],"Date":["Wed, 28 Feb 2024 16:07:14 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0ilprt0g_jg0vcWNMqJiS7ZwfrLBzStZKQSMAq4e5_TAFYmk-6k"],"Server":["nginx"]},"status_code":400}
Feb 28 16:07:14 revprox caddy[2948]: {"level":"error","ts":1709136434.977465,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"homebox.192.168.20.11","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Error creating new order :: Cannot issue for \"homebox.192.168.20.11\": Domain name does not end with a valid public suffix (TLD)"}
Feb 28 16:07:14 revprox caddy[2948]: {"level":"debug","ts":1709136434.9776661,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}
Feb 28 16:07:17 revprox caddy[2948]: {"level":"debug","ts":1709136437.2386932,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Wed, 28 Feb 2024 16:07:17 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["xtBhNsmyc2lr-rgne7IKmLPz9st26MNnDL-HJbKzzgU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
Feb 28 16:07:19 revprox caddy[2948]: {"level":"debug","ts":1709136439.5025406,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["127"],"Content-Type":["application/problem+json"],"Date":["Wed, 28 Feb 2024 16:07:19 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["O3IEqE6mGlkicU-M373BAgk-3gQgO6gTFoxlvxPXkQY"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":400}
Feb 28 16:07:19 revprox caddy[2948]: {"level":"error","ts":1709136439.5031528,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"homebox.192.168.20.11","issuer":"acme.zerossl.com-v2-DV90","error":"HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [homebox.192.168.20.11]"}
Feb 28 16:07:19 revprox caddy[2948]: {"level":"debug","ts":1709136439.5033383,"logger":"events","msg":"event","name":"cert_failed","id":"756e29d6-0da2-4ea0-b079-49f73825adc3","origin":"tls","data":{"error":{},"identifier":"homebox.192.168.20.11","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}}
Feb 28 16:07:19 revprox caddy[2948]: {"level":"error","ts":1709136439.5034623,"logger":"tls.obtain","msg":"will retry","error":"[homebox.192.168.20.11] Obtain: [homebox.192.168.20.11] creating new order: attempt 1: https://acme.zerossl.com/v2/DV90/newOrder: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [homebox.192.168.20.11] (ca=https://acme.zerossl.com/v2/DV90)","attempt":2,"retrying_in":120,"elapsed":78.909743511,"max_duration":2592000}

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

Official install instructions for debian/ubuntu Install — Caddy Documentation

a. System environment:

This is where it gets a bit complicated.

Caddy is run in a VM Guest (Ubuntu server 22.04 LTS) hosted on a Proxmox machine. The Caddy VM is behind a NAT.
Host machine has IP 192.168.20.11. Caddy VM has IP 10.0.0.4.

While the Caddy VM has its default ports (80, 443), this is after a port forward from the Host machine (4080->80, 4443->443).

b. Command:

c. Service/unit/compose file:

d. My complete Caddy config:

192.168.20.11 {
	# Set this path to your site's directory.
	root * /usr/share/caddy

	# Enable the static file server.
	file_server

	# Another common task is to set up a reverse proxy:
	# reverse_proxy localhost:8080

	# Or serve a PHP site through php-fpm:
	# php_fastcgi localhost:9000
}

homebox.192.168.20.11 {
	reverse_proxy 10.0.0.6:3100
}

5. Links to relevant resources:

Shouldn’t that end with .nip.io?

I don’t think you’ll be able to get a publicly trusted cert (from Let’s Encrypt) using .nip.io so you’ll need to add tls internal to your site to make Caddy issue a cert using its internal issuer.

I don’t know, but I’ve tried that as well and no luck.

I might be missing something here but adding tls internal to both site blocks hasn’t changed anything - still getting ERR_SSL_PROTOCOL_ERROR on browser.

New Caddyfile for reference:

192.168.20.11.nip.io {
	tls internal
	# Set this path to your site's directory.
	root * /usr/share/caddy

	# Enable the static file server.
	file_server

	# Another common task is to set up a reverse proxy:
	# reverse_proxy localhost:8080

	# Or serve a PHP site through php-fpm:
	# php_fastcgi localhost:9000
}

homebox.192.168.20.11.nip.io {
	tls internal
	reverse_proxy 10.0.0.6:3100
}

EDIT: Silly me, I was testing by attempting to access via http (port 4080->80) instead of https (4443->443). Accessing via https using nip.io in the site block seemed to solve as well as using tls internal

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.